Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-34903

Published: 1 July 2022

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Notes

AuthorNote
sbeattie
issue may not be as severe in gnupg 1

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
gnupg
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty
Released (1.4.16-1ubuntu2.6+esm1)
upstream
Released (2.2.35-3)
xenial
Released (1.4.20-1ubuntu3.3+esm2)
Patches:
upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b

gnupg2
Launchpad, Ubuntu, Debian
bionic
Released (2.2.4-1ubuntu1.6)
focal
Released (2.2.19-3ubuntu2.2)
impish
Released (2.2.20-1ubuntu4.1)
jammy
Released (2.2.27-3ubuntu2.1)
trusty Does not exist

upstream
Released (2.2.35-3)
xenial
Released (2.1.11-6ubuntu2.1+esm1)
Patches:

upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b